envoyproxy/envoy

Remove SHA-1 cipher suites from the defaults on the server-side

Open

#5,400 建立於 2018年12月22日

在 GitHub 查看
 (0 留言) (0 反應) (0 負責人)C++ (5,373 fork)batch import
area/tlshelp wanted

倉庫指標

Star
 (27,997 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 378 個 PR)

描述

This is the intent to remove remaining SHA-1 cipher suites (i.e. ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA and ECDHE-RSA-AES256-SHA) from the default cipher suites on the server-side.

This change will affect your deployment if it's using default cipher suites (i.e. not configuring cipher_suites) and it's accepting incoming connections using those cipher suites:

$ curl -s localhost:9901/stats | grep -E "^listener.*.ssl.ciphers..*SHA:"
listener.<address>.ssl.ciphers.ECDHE-ECDSA-AES128-SHA: 1
listener.<address>.ssl.ciphers.ECDHE-ECDSA-AES256-SHA: 1
listener.<address>.ssl.ciphers.ECDHE-RSA-AES128-SHA: 1
listener.<address>.ssl.ciphers.ECDHE-RSA-AES256-SHA: 1

(This works only with Envoy v1.9.0 and newer)

ETA: 1.15 (i.e. ~late 2020)

貢獻者指南